How to dump a MPress packed binary…

Someone at macserialjunkie board posted a problem with the mpress packer. Since packers are a pretty rare thing at OS X and I was bored, I decided to give it a quick look. The result is another tutorial about manually unpacking this kind of binary. It’s not hard and the packer isn’t that great.

Objective-C binaries can be dumped but there is a problem with NIB references, I think. I was already investigating this problem with other dumping experiences. Some other stuff must be fixed before objective-c  binaries dumps can be used. If you have any hint about this, please tell me !

If something isn’t clear or it’s missing, feel free to leave a comment so everyone can enjoy it.

That’s it for now ! Enjoy !

fG!

mmpress-packer.txt SHA1(mmpress-packer.txt)= 15e701176bade752a0cfb00735a20255a0acabd4

4 thoughts on “How to dump a MPress packed binary…

  1. i think the nib problem is due to the objc segment. if you otx the unpacked file you’ll see the same output as with the original binary, but no method has a name and no message send is annotated. The constant strings are correct though. looking at the unpacked binary shows that the objc segment seems to be offset a bit further than it should be and then the runtime probably can’t read the objc information properly.

    I’ve just tried to simply remove some zeros with hex-edit so that the segment data starts at the offset where it should start, then otx shows much more useful information.

    i guess that’s due to the relocation when a file is mapped to the VM. If the load commands map the file data to the vm not one after the other but with some gaps in between, then the load commands of the unmapped binary might need to be adjusted according to the vmmap printout.

    -+TheTuKays+-

    1. Hello,

      You are pointing to the correct place. I did some tests a few weeks ago, by comparing the original and a dump and for what I can remember, if I patched a few bytes the dumped binary would run without any problem. By patching I mean zero’ing some stuff, as far as I can remember. I had no time to explore what stuff did that correspond to. I’m going to get back to it since it’s something I would like to solve 🙂

      Bye,
      fG!

Leave a Reply

Your email address will not be published. Required fields are marked *